OAuth 2.0 Security Used By Facebook, Others Called Weak

The OAuth 2.0 API security protocol, used by Facebook and Salesforce.com, may be too easy to crack, critics contend

By Joab Jackson
Wed, September 22, 2010

IDG News Service — The emerging OAuth 2.0 Web API authorization protocol, already deployed by Facebook, Salesforce.com and others, is coming under increased criticism for being too easy to use, and therefore to spoof by malicious hackers.

"The OAuth community has made a big mistake about the future direction of the protocol," wrote Yahoo (YHOO) director of standards development Eran Hammer-Lahav in a blog post last week. Hammer-Lahav's criticism may carry more weight than those from the usual naysayer, because he is actually one of the creators of OAuth.

"What makes this more frustrating is that the people behind [OAUTH 2.0] are some of the brightest security minds on the Web. These guys know exactly what they are doing, and it's not like they don't care," Hammer-Lahav wrote. "They just gave up and decided that the best they can do is maintain the status quo. They are also representing a large and powerful coalition of big companies too lazy to work a little harder."

Hammer-Lahav's words may strike an ominous chord, given how both public and enterprise-based Web services are rapidly adopting the draft IETF (Internet Engineering Task Force) standard as a way for Web services to share data. The final version of the specification, which has been authored by engineers at Google (GOOG), Microsoft (MSFT), Yahoo, Facebook and others, is expected this fall.

On Sunday, a Salesforce.com engineer announced on the OAuth developer mailing list that the cloud-based enterprise software service was rolling out support for OAuth 2.0. In August, Microsoft added OAuth 2.0 as one of the options for access control for its Azure cloud platform.

Facebook now uses OAuth 2.0 as the preferred method for third-party apps to draw user information from the service. The open source Drupal content management system is building out support for OAuth 2.0 as swell.

Another potential user may be Twitter, which just converted to OAuth version 1.0a at the beginning of the month. Rumors have abounded that the service will move to version 2.0 though thus far engineers have remained quiet on the possibility.

OAuth provides a method of third party authentication that allows Web services to share data through their APIs (application programming interfaces). A user establishes an account with one service, and a server from that service can provide others services with tokens that can be used to access that data. So a user with a Facebook account, for instance, can approve a third-party application to access some of his or her Facebook information, without actually providing the service with a log-in name and password.

Continue Reading

Our Commenting Policies